I'm the coauthor of The New Killer Apps: How Large Companies Can Out-Innovate Start-Ups. I’m also the coauthor of Unleashing the Killer App: Digital Strategies for Market Dominance (Harvard Business School Press, 1998) and Billion-Dollar Lessons: What You Can Learn from the Most Inexcusable Business Failures of the Last 25 Years (Portfolio, 2008).
I cofounded and am the managing director of the Devil’s Advocate Group, a consultancy that helps business leaders design and stress test their innovation strategies.
Follow me at Facebook, Twitter @chunkamui or at Google+.

Facebook's Privacy Issues Are Even Deeper Than We Knew

Questions about what social networks mean for personal privacy and security have been brought to a head by research at Carnegie Mellon University that shows that Facebook has essentially become a worldwide photo identification database. Paired with related research, we’re looking at the prospect where good, bad and ugly actors will be able identify a face in a crowd and know sensitive personal information about that person.

You're Tagged (Source: PittPatt.com)

These developments mean that we no longer have to worry just about what Facebook, Google+, LinkedIn and other social sites do with our data; we have to worry about what they enable others to do, too. And it now seems that others will be able to do a lot.

As reported in various privacy and security outlets like Kashmir Hill’s Forbes blog and Paul Roberts at ThreatPost, and demonstrated at last week’s Black Hat conference, the CMU researchers relied on just Facebook’s public profile information and off-the-shelf facial recognition software. Yet the CMU researchers were able to match Facebook users with their pictures on otherwise anonymous Match.com accounts. The researchers also had significant success taking pictures of experimental subjects and matching them to their Facebook profiles.

Drawing upon previous research, they were also relatively successful at guessing individuals’ Social Security numbers. From there, of course, it is just an automated click to your Google profile, LinkedIn work history, credit report, and many other slices of private information. (See the FAQ to the research here.)

(Note that this research is independent of the controversy around Facebook’s own facial recognition technology, which it recently unveiled to automatically tag users in pictures—and which authorities in Germany think might violate its privacy laws. The CMU researchers didn’t even have to log into Facebook to get to the photos there; they accessed profile information through Facebook’s search engine APIs.)

There's an App for That

The researchers have declined to make their system for matching widely available. But, now that they’ve shown that it is possible, the capabilities will no doubt be replicated. And you don’t have to stretch too far to imagine intrusive and unacceptable scenarios in retail settings, advertising venues, secured environments, social spots, protest rallies, dim lit streets, and so on.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

All of the social networks have privacy issues. It is not just about Facebook, I can see that Google+ / Gmail is intruding more into personal information. Gmail is reading personal emails to serve context specific ads. So there is no point is saying Facebook is violating privacy. I clearly see a logical fallacy in this article.

Also, all of these social networks provide an option to set your own privacy settings which is bit complicated for normal users.

Lot of press are creating fuss about Facebook privacy, it is not just about Facebook, all these social networks Facebook, Google+, LinkedIn, Twitter are one way or other way violating privacy. This is the problem with the concept of social network because it influence human emotions.

@sanils, I focused on Facebook because Facebook’s *public* profile information provided the critical ingredient that enabled the CMU research results. There was no way for users to opt out. This is not a case of Facebook violating user privacy. It is, instead, unintentionally aiding and abetting others in doing so. That seems worse, in my mind.

More generally, I agree that all social networks have privacy and security implications. And, because of unintended consequences–such as the third party capabilities demonstrated in the research, the issues are even deeper than is typically discussed.

Great and also scary article! It is somewhat true that privacy and social networks is a combination that kind of excludes each other. People want to share and tell about things, if relevant or not does not really matter. The motivation of most of the so called social networks (whos’ motives are not social at all) is to harvest as much data as they can to monetize you through advertisung and 3rd parties or whomever is willing to pay for the data. It is sacry that many people do not realize the potential danger that lures here. You neve know what they will end up using the data and technology for…. There are alternatives though. There is a network up and running in beta/stealth mode that does not do ads and aggregates data to analyze user profiles and posts to then sell them off to whomever pays. They don’t do automatice face detection and things because in a network that is driven by interest and value to the members, this is not necessary. Anyway, great post from you again. Hopefully your articles help to educate people on those things.

Thanks for the kind words. Yes, there is a whole set of issues about what happens *within* the boundaries of the social networks themselves. For example, the realm of what Facebook apps do with your data is not well enough explored. The standard practice has become that apps give you very little information before asking for permission to use your data, and users don’t seem to realize that there’s no reverse button once you say “yes.”

The problem here, as you point out, is that the rise of social networks — and specifically Facebook, because it privileges real identities — have created a digital link between our photos and our names. The only way to prevent this kind of association would be to block any possible scraping of that information from Google Plus, Facebook, LinkedIn, and other sites. I don’t think that’s technologically feasible, so I suspect this is something we’re going to have to learn to live with. Privacy is always changing with the advent of new technologies — perhaps, a few years from now, the idea that we won’t be recognizable by face to strangers will be as quaint as the idea today that it would be impossible for people to carry a personal telephone and computer on their bodies at all times.

You might be right, Kashmir, that such a global identity database is inevitable. I think that some technological fire breaks are possible to slow it down, at least until we’re more ready to address the consequences. It’s not a given that Facebook has to make profile photos public, for example. It chooses to do so for its own business purposes. It could give users an option to withhold profile pictures from search engines in order to thwart potential bad actors. I would also be surprised if there were not some way to encode the data to limit the matching. I’d bet there are other options, too. It really comes down to where the networks perceive the “creepy line” to be, and how they balance their own interests with those of their users.

Correct me if I’m wrong, but I”m pretty sure this is only an issue if you set your account to public or (given that it’s Facebook) change your settings to private.

If you don’t, no one but your ‘friends’ can see your pictures, posts, info etc.

To my mind, the problem isn’t Facebook. You could arguably achieve the same results scanning photos from magazines or local newspapers, no? Facebook simply skips the ‘scan’ step.

I’d suggest that the problem is instead a forfeiture of responsibility. We expect Facebook to not only provide privacy protection options, but to actually select them for us. Somewhere along the way, we stopped thinking about whether something’s a good idea or not, and trusting that corporations would have our best interest at heart. Darwin suggests that people who think that way don’t do so well.

Again, if I’m wrong on the public setting option, my apologies. But if I’m not… when do we start thinking for ourselves?

No, actually, there’s no way to “opt out” of your profile picture being publicly accessible. Facebook users can control all of the other pictures they post but not their profile pictures. The only way to prevent this is to never upload a profile picture. I doubt, however, that the 700 million or so users who did upload profile pictures realized that they were signing up for this.

More generally, I’m not sure there’s any other practical way to assemble this sort of DB than, essentially, outsourcing the work to the users. You could get some small percentage of the population through yearbooks, magazines, newspapers, etc., but not to a scale that makes such a DB workable.

If I wasn’t so accustomed to being wrong I’d be upset right now. I suppose the only option – now that I’ve been enlightened – is to use photos that wouldn’t be suitable for use with facial recognition software, though I doubt my mother will understand what that means.

Any idea if the issue has been raised with Facebook, and whether there’s the potential for a change?